Law Library Stacks

Back to Erasure of Online Information Index

The Data Protection Act 1998 regulates the processing of personal data in the United Kingdom.  That Act does not provide a process through which individuals may request to be forgotten, nor is such a right recognized by other UK laws.  However, a bill is currently being considered before Parliament that would repeal and replace the Data Protection Act by incorporating, and expanding upon, the European Union’s General Data Protection Regulation, which establishes a right to be forgotten, into the national law of the UK. 

While no specific law has yet been enacted, UK citizens do have the right, under a European Court of Justice Ruling, to request the removal of web pages that refer to them from Google’s search results.  In addition, the Defamation Act 2013 provides a specific process for individuals to request the removal of material that they believe is defamatory.  The process uses website operators as an intermediary to facilitate the removal of this type of information.  

I. Introduction

The Data Protection Act 1998 governs how personal information is held in the United Kingdom.[1]  The Act is broad and applies to obtaining, holding, using, or disclosing personal information.  It was enacted and implemented to meet the requirements of the European Union’s Data Protection Directive,[2] which has now been updated and replaced by the EU General Data Protection Regulation (GDPR).[3]  The Act is overseen by an Information Commissioner, who has stated that the aim of data protection legislation is to “strike a balance between the rights of individuals and the sometimes competing interests of those with legitimate reasons for using personal information.”[4]

The Data Protection Act 1998 does not provide a formal legal process to request to be “forgotten.”  However, the UK is currently part of the European Union, and as a result of a ruling from the European Court of Justice, individuals have the right to have links to web pages that refer to them removed from Google’s search results.[5]  The UK’s Information Commissioner is the local regulatory authority in the UK responsible for ensuring compliance with this ruling.[6]  In addition, the government recently introduced a bill, discussed below, to repeal and replace the Data Protection Act 1998, which includes provisions that would enable an individual to request to be forgotten online, in accordance with the provisions of the GDPR.[7] 

Defamation law is currently provided for in the Defamation Act 2013[8] and in the common law.  As discussed below, the Defamation Act provides a process through which persons who believe they have been defamed may request the removal of information from the website operator who hosts third party content, as well as the party who has posted the content.  

Back to Top

II.  Removal of Online Personal Information

On August 1, 2012, the government issued a statement of intent to introduce a new data protection bill to update and strengthen data protection laws.[9]  The statement of intent noted that the government wants to provide individuals with more control over their personal data and the right, with certain exceptions, to be forgotten.[10] 

On September 13, 2017, the government followed through on the statement of intent and introduced an almost two-hundred-page bill, known as the Data Protection Bill, which would repeal and replace the Data Protection Act 1998 and follow, but expand upon, the European Union’s GDPR.[11]  The GDPR will apply in the UK beginning in May 2018, and enable individuals to request the deletion of their personal data in certain circumstances.  While EU regulations are directly applicable, given the UK’s recent decision to leave the European Union,

[t]he Government has indicated that primary legislation is required to supplement the Directive, until the instrument is brought into UK law in line with provisions in the European Union (Withdrawal) Bill, because there are derogations (exemptions) within the GDPR where the UK wishes to exercise discretion over how certain provisions would apply.[12] 

The intent behind the Data Protection Bill is to “update data protection laws for the digital age”[13] and provide clarity for the UK’s data protection regime in anticipation of the UK leaving the EU.[14]  

Back to Top

III.  Removal of Online Defamatory Material

The use of online forums and social media can involve a number of different areas of law, the vast majority of which were drafted prior to the explosion in the use of communications technology.[15]  The law relating to defamatory material—that is, published material that causes, or is likely to cause, serious harm to a person’s reputation[16]—has recently been updated by the Defamation Act 2013, which was enacted in part to provide a fairer system for addressing materials published online.  The update

reflects the Government’s view that disputes should be resolved directly between the complainant and the poster [of the information] where possible.  It aims to support freedom of expression by giving the poster an opportunity to express his or her views.  It also aims to enable complainants to protect their reputation by resolving matters with the person who is responsible for the defamatory posting where they can be identified, while ensuring that material is removed where the poster cannot be identified or is unwilling to engage in the process.  The Government believes that this strikes a fair balance between all the interests involved.[17]

Prior to the enactment of the Defamation Act 2013, website operators generally automatically removed content upon the receipt of a complaint in order to avoid becoming a party to a lawsuit, as they were considered to be the publisher of the statement at common law and could be held liable for the content of these posts.[18]  Godfrey v. Demon Internet Ltd. was the leading case in this area and provided that a service provider who transmitted or facilitated the transmission of a post was considered to be the publisher of the statement at common law, and was thus liable for any defamatory statements.  Defenses available to website operators[19] were limited, and these cases were expensive to defend.[20]  Additionally, concerns were raised that this cautious approach was limiting free speech, as it meant that some non-defamatory content was being removed and, in cases where it was not removed, individuals were pursuing legal actions against the website operator rather than the individual who authored and posted the content.[21]   

Given the vast increase in online users, the government determined that failing to take action in this area of law would result in a chilling effect upon free speech.[22]  In 2011 the government held a public consultation on how to address online defamation.  Two main options were presented: the first option required a complainant to obtain a court order before an obligation could be imposed on the website provider to remove the allegedly defamatory material.  The second sought to place the website operator as a liaison point between the complainant and the individual who posted the allegedly defamatory material.[23]  The latter option was the preferred approach and was incorporated by section 5 of the Defamation Act 2013,[24] with the regulatory process contained in the Defamation (Operators of Websites) Regulations 2013.[25]  This process is designed to facilitate contact between the aggrieved party and the author of the content.[26]  Website operators are not under a duty to follow this procedure, and they may instead choose, independently from the process, whether or not to remove any disputed material, or whether they wish to rely on other defenses to the defamation action.[27]  

Section 5 of the Defamation Act 2013 provides website operators that host third-party content with a defense against claims of defamation.  In order to use the defense, however, the website operator must “show that it was not the operator who posted the statement on the website.”[28]  The defense may be defeated if the claimant can show that

  • he or she could not identify the person who posted the allegedly defamatory statement;
  • he or she notified the operator of the complaint relating to the statement; and
  • the website operator failed to respond to the complaint in accordance with the process contained in the Defamation (Operators of Websites) Regulations 2013.[29]

Section 5(6) of the Act provides that the complainant must include the following information in the complaint: his or her name, the statement as it appears on the website in question, and the reasons why the statement is believed to be defamatory.  Regulation 2 of the Defamation (Operators of Websites) Regulations 2013 provides that the complainant must also include the following information contacting the service provider:

(a)  specify the electronic mail address at which the complainant can be contacted;
(b)  set out the meaning which the complainant attributes to the statement referred to in the notice;
(c)  set out the aspects of the statement which the complainant believes are—

(i)   factually inaccurate; or
(ii)  opinions not supported by fact;
(d)  confirm that the complainant does not have sufficient information about the poster to bring proceedings against that person; and
(e)  confirm whether the complainant consents to the operator providing the poster with—
(i)   the complainant’s name; and
(ii)  the complainant’s electronic mail address.[30]

Even if the notice provided to the website operator does not contain all the information required by both the Act and the Regulations, the Regulations provide that it must be treated as a complaint for the purposes of the Defamation Act 2013.[31]

Within forty-eight hours of receiving a complaint, the website operator must send the poster of the content complained of

  • a copy of the complaint, with the complainant’s information concealed if he or she has not consented to the sharing of this information; and
  • written notice that the content complained of will be removed unless the poster provides a written response by midnight no later than the fifth day after the notification was sent.[32] 

The poster must then notify the operator of whether he or she wants the content to be removed from the website specified in the notice.  If the poster does not want the content to be removed, the poster must provide his or her full name and postal address, and indicate whether the website operator may provide this personal information to the complainant.  If the poster fails to respond to a notice from the website operator, or does respond but fails to include all the required information, the website operator must, within forty-eight hours after the deadline provided to the poster, remove the statement from the websites contained in the notice of complaint and notify the complainant of this.  If the poster responds to the website operator that he or she wants the content removed, the website operator has forty-eight hours after notification to remove the information, and must then notify the complainant that the content has been removed. 

If the website operator does not have a means of contacting the poster, he or she must remove the statement complained of within forty-eight hours of receiving a written notice from the complainant.  The website operator has forty-eight hours after receiving the complaint to send an acknowledgement to the claimant stating that either the poster has been notified, or the post has been removed.[33]

The law also provides an expedited process in cases where an alleged defamatory statement is posted repeatedly.  If the same complainant has requested the removal of the same material from the same website operator more than two times, and the information has been removed in accordance with the provisions of the Regulations, the complainant must specify this in the complaint and the website operator must remove the statement within forty-eight hours of receiving the complaint.[34]

If the website operator fails to follow the procedure specified in the Regulations and meet the time limits, the operator can potentially be held liable for the content.[35]

Back to Top

Prepared by Clare Feikert-Ahalt
Senior Foreign Law Specialist
November 2017

[1] Data Protection Act 1998, c. 29,, archived at

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31,, archived at  

[3] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) art. 4(1), 2016 O.J. (L 119) 1, legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN, archived at

[5] Case C-131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González, ECLI:EU:C:2014:317, TXT&ancre, archived at

[6] House of Commons Library, The “Right to Be Forgotten, Sept. 2011, SN/HA/6983, http://researchbriefings., archived at  

[9] A New Data Protection Bill: Our Planned Reforms, Statement of Intent, Department for Digital, Culture Media & Sport (Aug. 7, 2017), data/file/635900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf, archived at

[10] Id.

[12] House of Lords, Data Protection Bill [HL] (HL Bill 66 of 2017-19), Library Briefing, at 1, http://research, archived at

[13] Data Protection Bill 2017, Protection Bill 2017. Department for Digital, Culture, Media & Sport (Sept. 14, 2017),, archived at

[14] House of Lords, supra note 12, at 1. 

[15] House of Lords, Select Committee on Communications, First Report, 2014-15, HL 37, available at, archived at

[16] Defamation Act 2013, c. 26, § 1(1),, archived at  

[17] Explanatory Memorandum to the Defamation (Operators of Websites) Regulations 2013, SI 2013/3028, ¶ 7.6,, archived at

[18] Godfrey v. Demon Internet Ltd. [1999] EWHC QB 244, ¶  available at EWHC/QB/1999/244.html, archived at  This case found that the service provider who transmits or facilitates the transmission of a post is the publisher of the statement at common law and that if, upon receiving notice of the defamatory nature of a post, the service provider fails to remove the content, it could not rely upon the defense contained in section 1 of the Defamation Act 1996, because if it did not remove the material upon receiving notice of the material’s defamatory nature, the service provider could not satisfy the requirement that it took reasonable care in relation to the publication and could no longer believe that its actions did not cause or contribute to the publication.  Id. ¶ 50.

[19] Defenses were available at common law and in the Electronic Commerce (EC Directive) Regulations 2002, SI 2002/2012, art. 19,, archived at, and the Defamation Act 1996, c. 31, § 1,, archived at

[21] Explanatory Memorandum to the Defamation (Operators of Websites) Regulations 2013, supra note 17, ¶ 7.2. 

[22] Id

[23] Draft Defamation Bill, Consultation, supra note 20.

[24] Defamation Act 2013, c. 26,, archived at  

[25] Defamation (Operators of Websites) Regulations 2013, SI 2013/3028, 2013/3028/contents/made, archived at  

[26] Defamation Act 2013, c. 26, § 5.

[27] Explanatory Memorandum to the Defamation (Operators of Websites) Regulations 2013, supra note 17, ¶ 7.4. 

[28] Defamation Act 2013, c. 26, § 5(2).   

[29] Id. § 5.

[30] Defamation (Operators of Websites) Regulations 2013, supra note 25, ¶ 2.

[31] Id. ¶ 4.

[32] Id. Sched. ¶ 2.

[33] Id. Sched. ¶¶ 2–4.

[34] Id. Sched. ¶ 9.

[35] House of Commons Library, The Defamation Act 2013, Jan. 2014, SN/HA/6801, at 6, http://researchbriefings., archived at

Back to Top

Last Updated: 04/16/2018